IETF Logo Mail Archive

Re: [Dcrup] rsa-sha1 proposals

Jim Fenton <fenton@bluepopcorn.net> Tue, 20 June 2017 17:52 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8BA12F3D3 for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 10:52:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VUz6-_QnnxU7 for <dcrup@ietfa.amsl.com>; Tue, 20 Jun 2017 10:52:49 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62B27129493 for <dcrup@ietf.org>; Tue, 20 Jun 2017 10:52:49 -0700 (PDT)
Received: from splunge.local ([IPv6:2601:647:5500:1330:fd7a:2368:ef63:6afe]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v5KHqjsN027436 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <dcrup@ietf.org>; Tue, 20 Jun 2017 10:52:48 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1497981168; bh=M46C7X8N0hZAXRUeiAc0f7KALphdXTSOiqbY3m46Tws=; h=Subject:To:References:From:Date:In-Reply-To; b=q1uhJYfgS8TPA9eax1+9cHCYVorBwESnhMBIUiKRH03MP5JaWNXGDugR+aPDvcASx 55eXrCIDSFvdoNA0jBaQh/aRwV8OM0ZQ6B4Q3Pd3ssUfKrfBdV3fqpi12wRU18NawH sPJW7AzVZmn3e/MAe4njPtATg0QHRRTBlBoF4bTc=
To: dcrup@ietf.org
References: <1642300.47WuTbIWPP@kitterma-e6430>
From: Jim Fenton <fenton@bluepopcorn.net>
Message-ID: <33f087e3-ca27-f425-6d36-4ad11dd16799@bluepopcorn.net>
Date: Tue, 20 Jun 2017 10:52:40 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.0
MIME-Version: 1.0
In-Reply-To: <1642300.47WuTbIWPP@kitterma-e6430>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/v5JtAJ0iuASWKAgSlUaaU5HJ28k>
Subject: Re: [Dcrup] rsa-sha1 proposals
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2017 17:52:52 -0000

If it isn't obvious from my previous comments, I favor the "Deprecate
rsa-sha1" option. I might even suggest we soften it to say that
verifiers MUST implement rsa-sha256 and SHOULD implement rsa-sha1; it's
ultimately up to the verifier to decide what signatures they trust and
they might decide not to implement rsa-sha1 if they know they will never
accept one of those signatures anyway.

Having been away from this stuff for a while, I was startled that the
hash algorithms were named directly in the ABNF rather than by reference
to the registry, but that's what we do apparently. The description of
the rsa-sha1 algorithm (3.3.1 in RFC 6376) can be removed as well when
rsa-sha1 is removed entirely, of course.

-Jim

On 6/20/17 8:39 AM, Scott Kitterman wrote:
> I think we still have some different opinions on what to do with rsa-sha1, so 
> I thought I'd attempt to summarize the different options (as best I can, I 
> have an opinion, so I'm sure my bias will leak in) in the hopes it will help 
> drive this part of the WG discussion to closure.  Note: I'm not talking about 
> RSA key sizes because it seems to me we're largely converged on that topic.
>
> I think there are roughly three options that have been discussed:
>
> Status quo:
>
>> Signers MUST implement and SHOULD sign using rsa-sha256.  Verifiers MUST
>> implement both rsa-sha1 and rsa-sha256.
> Deprecate rsa-sha1:
>
>> Signers MUST implement and sign using rsa-sha256 only.  Verifiers MUST
>> implement both rsa-sha1 and rsa-sha256.
> Remove rsa-sha1:
>
>> Signers MUST implement and sign using rsa-sha256 only.  Verifiers MUST
>> implement rsa-sha256.  rsa-sha1 is obsolete and MUST not be used.
> Note: This option also removes rsa-sha1 from the ABNF.
>
> Pro/Con for each:
>
> Status quo:
> There is no immediate known security threat to rsa-sha1 that would indicate 
> its imminent demise as a useful algorithm in this application and rsa-sha1 
> signatures are still in significant use.  RSA key sizes are the current 
> security issue and that can be fixed without doing anything about rsa-sha1.
>
> There are a number of known shortcomings with rsa-sha1 and given that rsa-
> sha256 is available and does not share the same issues, raising the bar to 
> require rsa-sha256 is easy and a prudent step to take in advance of issues 
> being published.  Let's not wait until we have to panic.
>
> Retaining rsa-sha1 means DKIM implementers will have to deal with three 
> algorithms rather than two and this raises implementation complexity and the 
> risk of things going wrong.
>
>
> Deprecate rsa-sha1:
> There is no immediate known security threat to rsa-sha1 that would indicate 
> its imminent demise as a useful algorithm in this application and rsa-sha1 
> signatures are still in significant use.  RSA key sizes are the current 
> security issue and that can be fixed without doing anything about rsa-sha1, 
> but if we move to a more aggressive stance against rsa-sha1 now, it should be 
> easier to remove it when needed.
>
> There are a number of known shortcomings with rsa-sha1 and given that rsa-
> sha256 is available and does not share the same issues, raising the bar to 
> require rsa-sha256 is easy and a prudent step to take in advance of issues 
> being published.  Let's not wait until we have to panic.
>
> Retaining rsa-sha1 means DKIM implementers will have to deal with three 
> algorithms rather than two and this raises implementation complexity and the 
> risk of things going wrong.
>
> Remove rsa-sha1:
> This option eliminates (to the extent it is adopted) the potential of security 
> risks with rsa-sha1.  If a relevant issue with rsa-sha1 is made public, there 
> will be no further standards work that needs to be done.  This option also 
> keeps the number of algorithms at two, eliminating the additional complexity 
> associated with having more algorithms to sort through in implementation.  
> While this might be considered somewhat abrupt, rsa-sha1 signing has been 
> effectively SHOULD NOT for a decade.  Maybe this will create some momentum for 
> operators to move off of it.
>
> It is abrupt to remove something without a formal deprecation period.
>
> Thoughts?
>
> Scott K
>
>
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup

v2.30.2 | Report a Bug | By Email | System Status